Transcription

2 Please Note IBM s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM s sole discretion. Information regarding potential future products is intended to outline our general product direction and it should not be relied on in making a purchasing decision. The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code or functionality. Information about potential future products may not be incorporated into any contract. The development, release, and timing of any future features or functionality described for our products remains at our sole discretion. Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput or performance that any user will experience will vary depending upon many factors, including considerations such as the amount of multiprogramming in the user s job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve results similar to those stated here. 2

6 What is SAML? Security Assertion Markup Language (SAML) OASIS XML-based standard Used to exchange authentication and authorization data between parties Identity Provider handles authentication and the creation and verification of SAML tokens. Service Provider accepts a SAML Token as an identity assertion SAML comprised of many (20+) profiles describing very specific uses cases on how to use SAML WebSphere Support Technical Exchange 6 6

7 Why SAML Web SSO? Growing popularity Client-based (browser) SSO solution Decoupling from the server allows greater ease of interoperability between cross-vendor products Relies on identity assertion rather than server-side authentication This means WAS does not need to be connected to the user registry at all WebSphere Support Technical Exchange 7 7

8 Common Usage Cases Target user registry not visible on WAS network SSO interoperability between WAS and non-was servers using the IdP as a common login portal SAML assertion is saved in the security Subject for down-stream calls IdP-agnostic, because all SAMLResponses and tokens must be formatted according to OASIS standards WebSphere Support Technical Exchange 8 8

9 SAML Highlights Web SSO Post Binding Profile Delivered in WAS Full Profile , , SSO between WAS and non WAS servers Relies on a Identity Assertion rather than server side authentication Typically using an Identity Provider (IdP) Web Service Security Token Profile 1.1 Delivered in WAS Full Profile and and above Used by JAX-WS applications between WAS and non WAS servers Requires a Security Token Service such as TFIM or ADSM 9

10 SAML Web SSO Post Binding Profile 10

11 Basic Flow WebSphere Support Technical Exchange 11 11

12 Basic Flow Described 1. User accesses IdP Either directly, or through redirect via WAS TAI error page definition. WAS does NOT support SP-initiated SSO 2. IdP sends back SAMLResponse POST to WAS 3. ACSTrustAssociationInterceptor grabs the response 4. ACS TAI grabs the username attribute (NameId by default) and any other defined group membership attributes and passes them to the SP Depending on TAI config, SP may verify user and/or user s group membership in a repository, 5. SP uses that data to create an LTPA token SP is either the default WebSphereSamlSP at the /samlsps context, or a customer-implemented SP WebSphere Support Technical Exchange 12 12

13 Basic Flow continued WebSphere Support Technical Exchange 13 13

14 WAS Configuration - Enablement Update to or Install WebSphereSamlSP.ear or run installsamlacs.py script Enable ACS TAI via AdminTask.addSAMLTAISSO or add the class manually in ISC Import the IdP's FederationMetadata.xml using the AdminTask.importSAMLIdpMetadata command, or simply import its signer certificate Configure WAS to trust the IdP's realm Configure WAS security custom properties and ACSTAI custom properties WebSphere Support Technical Exchange 14 14

15 Example TAI properties WebSphere Support Technical Exchange 15 15

16 Authorization Group membership can be asserted in the SAMLResponse and/or grabbed from the WAS user registry Controlled by sso_<id>.sp.groupmap and sso<id>.sp.groupname Security role to user/group mappings defined in the normal fashion, but watch out for weird realm names. Purely asserted groups must be mapped manually, since the registry isn t searchable from the WAS ISC WebSphere Support Technical Exchange 16 16

17 SSL Transport- and message-layer encryption are both optional Best practice: the public key from the IdP be imported into WAS so that we can validate/trust the <Signature> Message-layer encryption can be enabled by providing the IdP with the WAS public key, and specifying the sso_<id>.sp.keystore, sso_<id>.sp.keypassword, and sso_<id>.sp.keyalias TAI custom props for the private key WebSphere Support Technical Exchange 17 17

18 Error Pages Unauthenticated requests are redirected based on sso_<id>.sp.login.error.page https:// or MappingClassName Almost always want to set this to the same URL as sso_<id>.idp_<id>.singlesignonurl More complex deployments will want to implement the IdentityProviderMapping interface to allow for dynamic error pages Generates error page URL using the unauthenticated HttpServletRequest as input WebSphere Support Technical Exchange 18 18

21 Web Service SAML single-sign-on and propagation A user authenticates to an STS and requests SAML tokens using the bearer(or sender-vouches) confirmation method. The user then uses SAML tokens to access a business services provider. The business services provider validates the SAML tokens and asserts the identity and attributes of the user based on the trust relationship between the provider and the issuing STS (or sender). The service provider request service from next service provider with propogated SAML token 21

22 Web Service SAML single-sign-on with holder-of-key 1 The user logs on with a Web browser using SPNEGO (or Form Login) and is authenticated. A JAAS subject is created. 2 The credential from the SPNEGO token is used to request a SAML token using WS-Trust. The token is signed with the trust server private key. 3 The signature of the SAML token is validated based on the trust relationship. The security credential is created using the attributes from the SAML token. The cryptographic key from the SAML token is used to decrypt the SOAP message. 22

23 SAML Assertion across multiple security domains This sample diagram shows three WebSphere Application Server security domains, each of which has its own user registry. Users in the two security domains on the left send Web services messages to access resources of the security domain on the right. Users send their identities in SAML tokens to identify themselves to the target security domain. A Web services provider will use the SAML user identity to create a security context without checking its own user registry. 23

25 Create,validate,parse,and request SAML using API Use the SAML library application programming interface (API), the SAMLTokenFactory, to configure token parameters, create a SAML token, and bind the created token to a service request. Use the SAML trust client API to send WS-Trust SOAP requests to the specified external Security Token Service (STS) to request, validate, or exchange an SAML token. 25

28 What is OAUTH? Open Authorization (Oauth) Provides a way for a client to access a server resource on behalf of the resource owner Provides a way for the end user to authorize a 3 rd party to their server resources without sharing their credentials Becoming popular in social computing space As an example, Facebook and Google leverages for accessing their public APIs. WebSphere Support Technical Exchange 28 28

30 Other non-technical examples Participant passcode vs leader passcode on a teleconference or web conference. Doctor s prescription A boarding pass Any other master key system such as those used by hotels and offices for room/cabinet access

31 Example UseCase for OAUTH OAuth allows for resource sharing for social computing applications Scenario Alice wants to print her Google Picasa photos using a third party online photo printing service. Alice protects her Google Picasa photo albums using a password. Alice does not want to share her password. Using OAuth, Alice will grant access to the third party printing service the ability to read her photo. 03/28/11 31 IBM Confidential

32 Example user experience In this example, a client has a twitter account. The client application will be the online library example, and will tweet which books have been borrowed by the end-user to their twitter account. When borrowing a book for the first time (i.e. the client needs to establish an access token for the user), you are redirected to twitter for authorization. 32

33 Example user experience cont After authorization, the application can tweet using the access token The application can continue to use that access token until it expires If I login to twitter directly, I can see any tweets that were made on my behalf via API 33

34 OAuth 2.0 authorization code flow Classic three-legged OAuth with a resource owner, client and service provider. 1. The client (e.g. a web application) decides that access is required to the resource owner s private resources at a known service provider. 2. Client redirects the user to the authorization server to authorize access. 3. Service provider generates a onetime authorization code that is sent via redirect back to the client. 4. Client exchanges authorization code for an authorized access token [and refresh token]. 5. Client can [repeatedly] use the access token to obtain access to the private resources. 34

35 OAUTH 2.0 Highlights Delivered in WAS Full Profile , , and and WAS Liberty Profile WAS IBM Product Exploits Lotus Connections 35

37 For more information Configuring and using OAUTH from my security website OAUTH for WebSphere Application Server for Full WAS Profile Dd OAUTH for WebSphere Application Server for Liberty Profile dd 37

38 We love your Feedback! Don t forget to submit your Impact session and speaker feedback! Your feedback is very important to us we use it to improve next year s conference Go to the Impact 2013 SmartSite (http://impactsmartsite/com): Use the session ID number to locate the session Click the Take Survey link Submit your feedback 38

39

40 Legal Disclaimer IBM Corporation All Rights Reserved. The information contained in this publication is provided for informational purposes only. While efforts were made to verify the completeness and accuracy of the information contained in this publication, it is provided AS IS without warranty of any kind, express or implied. In addition, this information is based on IBM s current product plans and strategy, which are subject to change by IBM without notice. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, this publication or any other materials. Nothing contained in this publication is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in this presentation to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in this presentation may change at any time at IBM s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken by you will result in any specific sales, revenue growth or other results. If the text contains performance statistics or references to benchmarks, insert the following language; otherwise delete: Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput or performance that any user will experience will vary depending upon many factors, including considerations such as the amount of multiprogramming in the user's job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve results similar to those stated here. If the text includes any customer examples, please confirm we have prior written approval from such customer and insert the following language; otherwise delete: All customer examples described are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual environmental costs and performance characteristics may vary by customer. Please review text for proper trademark attribution of IBM products. At first use, each product name must be the full name and include appropriate trademark symbols (e.g., IBM Lotus Sametime Unyte ). Subsequent references can drop IBM but should include the proper branding (e.g., Lotus Sametime Gateway, or WebSphere Application Server). Please refer to for guidance on which trademarks require the or symbol. Do not use abbreviations for IBM product names in your presentation. All product names must be used as adjectives rather than nouns. Please list all of the trademarks that you use in your presentation as follows; delete any not included in your presentation. IBM, the IBM logo, Lotus, Lotus Notes, Notes, Domino, Quickr, Sametime, WebSphere, UC2, PartnerWorld and Lotusphere are trademarks of International Business Machines Corporation in the United States, other countries, or both. Unyte is a trademark of WebDialogs, Inc., in the United States, other countries, or both. If you reference Adobe in the text, please mark the first use and include the following; otherwise delete: Adobe, the Adobe logo, PostScript, and the PostScript logo are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, and/or other countries. If you reference Java in the text, please mark the first use and include the following; otherwise delete: Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both. If you reference Microsoft and/or Windows in the text, please mark the first use and include the following, as applicable; otherwise delete: Microsoft and Windows are trademarks of Microsoft Corporation in the United States, other countries, or both. If you reference Intel and/or any of the following Intel products in the text, please mark the first use and include those that you use as follows; otherwise delete: Intel, Intel Centrino, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. If you reference UNIX in the text, please mark the first use and include the following; otherwise delete: UNIX is a registered trademark of The Open Group in the United States and other countries. If you reference Linux in your presentation, please mark the first use and include the following; otherwise delete: Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both. Other company, product, or service names may be trademarks or service marks of others. If the text/graphics include screenshots, no actual IBM employee names may be used (even your own), if your screenshots include fictitious company names (e.g., Renovations, Zeta Bank, Acme) please update and insert the following; otherwise delete: All references to [insert fictitious company name] refer to a fictitious company and are used for illustration purposes only.

How to Deliver Measurable Business Value with the Enterprise CMDB James Moore jdmoore@us.ibm.com Product Manager, Business Service, Netcool/Impact 2010 IBM Corporation Agenda What is a CMDB? What are CMDB

Using SAML for Single Sign-On in the SOA Software Platform SOA Software Community Manager: Using SAML on the Platform 1 Policy Manager / Community Manager Using SAML for Single Sign-On in the SOA Software

An Oracle White Paper Dec 2013 Oracle Access Management Security Token Service Disclaimer The following is intended to outline our general product direction. It is intended for information purposes only,

Lawson M3 7.1 on IBM POWER 520 and IBM i V6.1 IBM Systems & Technology Group Paul Swenson paulswen@us.ibm.com This document can be found on the web, Version Date: April 28, 2009 Statement of Approval...

WHITE PAPER Smart Card Authentication for J2EE Applications Using Vintela SSO for Java (VSJ) SEPTEMBER 2004 Overview Password-based authentication is weak and smart cards offer a way to address this weakness,

CA Performance Center Single Sign-On User Guide 2.4 This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as the Documentation ) is

QualysGuard SAML 2.0 Single Sign-On Technical Brief Introduction Qualys provides its customer the option to use SAML 2.0 Single Sign On (SSO) authentication with their QualysGuard subscription. When implemented,

HP Software as a Service Software Version: 6.1 Federated SSO Document Release Date: August 2013 Legal Notices Warranty The only warranties for HP products and services are set forth in the express warranty

Single Sign On and ID Management Single Sign On SSO & ID Management for Web and Mobile Applications Presenter: Manish Harsh Program Manager for Developer Marketing Platforms of NVIDIA (Visual Computing

Get Success in Passing Your Certification Exam at first attempt! Exam : C2150-575 Title : IBM Tivoli Federated Identity Manager V6.2.2 Implementation Version : Demo 1.What is the default file name of the

An Oracle White Paper June 2011 OpenLDAP Oracle Enterprise Gateway Integration Guide 1 / 29 Disclaimer The following is intended to outline our general product direction. It is intended for information

HP Software as a Service Federated SSO Guide Document Release Date: July 2014 Legal Notices Warranty The only warranties for HP products and services are set forth in the express warranty statements accompanying

How SSO Works in WhosOnLocation About Single Sign-on By default, your administrators and users are authenticated and logged in using WhosOnLocation s user authentication. You can however bypass this and

Agenda Key: Session Number: System i Access for Windows: Data Transfer Tips and Techniques 8 Copyright IBM Corporation, 2008. All Rights Reserved. This publication may refer to products that are not currently

Business Process Management IBM Business Process Manager V7.5 Federated task management overview This presentation gives you an overview on the federated task management feature in IBM Business Process

SINGLE SIGNON FUNCTIONALITY IN HATS USING MICROSOFT SHAREPOINT PORTAL SINGLE SIGNON: Single Signon feature allows users to authenticate themselves once with their credentials i.e. Usernames and Passwords

Configure Single Sign on Between Domino and WPS What we are doing here? Ok now we have the WPS server configured and running with Domino as the LDAP directory. Now we are going to configure Single Sign

Samsung KNOX EMM Authentication Services SDK Quick Start Guide June 2014 Legal notice This document and the software described in this document are furnished under and are subject to the terms of a license

Lotus Sametime Version 8.0 FIPS Support for IBM Lotus Sametime 8.0 SC23-8760-00 Disclaimer THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS PROVIDED FOR INFORMATIONAL PURPOSES ONLY. WHILE EFFORTS WERE

Getting Started with AD/LDAP SSO Active Directory and LDAP single sign- on (SSO) with Syncplicity Business Edition accounts allows companies of any size to leverage their existing corporate directories

IBM SPSS Collaboration and Deployment Services Version 6 Release 0 Single Sign-On Services Developer's Guide Note Before using this information and the product it supports, read the information in Notices

Tivoli Endpoint Manager for Security and Compliance Analytics User s Guide User s Guide i Note: Before using this information and the product it supports, read the information in Notices. Copyright IBM

IBM System z Cloud Computing with xcat on z/vm 6.3 Thang Pham z/vm Development Lab thang.pham@us.ibm.com Trademarks The following are trademarks of the International Business Machines Corporation in the

Deploying a private database cloud on z Systems How DPS evolved over time and what is coming next SAP on z IBM Systems Conference Holger Scheller - IBM April 13 th, 2016 Trademarks The following are trademarks